playbooks

home / skills / eyadsibai / ltk / k8s-security

k8s-security skill

/plugins/ltk-devops/skills/k8s-security

This skill helps secure Kubernetes clusters by guiding network policies, RBAC, pod security standards, and policy enforcement for hardened deployments.

npx playbooks add skill eyadsibai/ltk --skill k8s-security

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
3.7 KB
---
name: k8s-security
description: Use when securing Kubernetes clusters, implementing network policies, configuring RBAC, pod security standards, or asking about "Kubernetes security", "NetworkPolicy", "PodSecurityPolicy", "RBAC", "pod security standards", "OPA Gatekeeper"
version: 1.0.0
---

# Kubernetes Security Policies

Implement defense-in-depth security for Kubernetes clusters.

## Pod Security Standards

### Restricted (Most Secure)

```yaml
apiVersion: v1
kind: Namespace
metadata:
  name: restricted-ns
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.kubernetes.io/warn: restricted
```

### Secure Pod Configuration

```yaml
apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 1000
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: app
    image: myapp:1.0
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
        - ALL
```

## Network Policies

### Default Deny All

```yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-all
spec:
  podSelector: {}
  policyTypes:
  - Ingress
  - Egress
```

### Allow Frontend to Backend

```yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-frontend-to-backend
spec:
  podSelector:
    matchLabels:
      app: backend
  ingress:
  - from:
    - podSelector:
        matchLabels:
          app: frontend
    ports:
    - protocol: TCP
      port: 8080
```

### Allow DNS Egress

```yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-dns
spec:
  podSelector: {}
  policyTypes:
  - Egress
  egress:
  - to:
    - namespaceSelector:
        matchLabels:
          name: kube-system
    ports:
    - protocol: UDP
      port: 53
```

## RBAC Configuration

### Role (Namespace-scoped)

```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: pod-reader
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]
```

### RoleBinding

```yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: read-pods
subjects:
- kind: ServiceAccount
  name: my-app
  namespace: production
roleRef:
  kind: Role
  name: pod-reader
  apiGroup: rbac.authorization.k8s.io
```

## OPA Gatekeeper Policies

### Required Labels Constraint

```yaml
apiVersion: templates.gatekeeper.sh/v1
kind: ConstraintTemplate
metadata:
  name: k8srequiredlabels
spec:
  crd:
    spec:
      names:
        kind: K8sRequiredLabels
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
        package k8srequiredlabels
        violation[{"msg": msg}] {
          provided := {label | input.review.object.metadata.labels[label]}
          required := {label | label := input.parameters.labels[_]}
          missing := required - provided
          count(missing) > 0
          msg := sprintf("missing labels: %v", [missing])
        }
```

## Service Mesh Security (Istio)

### Strict mTLS

```yaml
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
  name: default
spec:
  mtls:
    mode: STRICT
```

## Best Practices

1. **Pod Security Standards** at namespace level
2. **Network Policies** for segmentation
3. **Least-privilege RBAC** for all service accounts
4. **Run containers as non-root**
5. **Read-only root filesystem**
6. **Drop all capabilities** unless needed
7. **Enable audit logging**
8. **Regular image scanning**

## Troubleshooting

```bash
# Check RBAC permissions
kubectl auth can-i list pods --as system:serviceaccount:default:my-sa

# Debug NetworkPolicy
kubectl describe networkpolicy <name>
kubectl get networkpolicy -A
```

Overview

This skill helps secure Kubernetes clusters by providing practical guidance and examples for Pod Security Standards, NetworkPolicy, RBAC, and OPA Gatekeeper constraints. It focuses on concrete, reproducible configurations and defensive patterns to reduce attack surface and enforce cluster policy. Use it to harden namespaces, pods, and inter-pod communications with clear YAML snippets and troubleshooting tips.

How this skill works

The skill inspects common Kubernetes security domains and supplies ready-to-apply manifests and patterns: namespace-level Pod Security labels, secure pod securityContext settings, default-deny and selective NetworkPolicy rules, least-privilege RBAC roles and bindings, and OPA Gatekeeper constraint templates. It also includes service-mesh (Istio) mTLS configuration and commands for validating RBAC and NetworkPolicy behavior. Combined, these artifacts support a defense-in-depth approach you can apply incrementally.

When to use it

  • When onboarding a new cluster or creating security baselines for namespaces
  • When implementing network segmentation between application tiers
  • When enforcing least-privilege access for service accounts and users
  • When you need admission-time policy enforcement with OPA Gatekeeper
  • When enabling strict mTLS in an Istio service mesh

Best practices

  • Apply Pod Security Standards at the namespace level to enforce consistent pod protections
  • Start with a default-deny NetworkPolicy and allow only required traffic
  • Grant RBAC permissions using narrow Roles and RoleBindings scoped to namespaces
  • Run containers as non-root, use read-only root filesystems, and drop ALL capabilities
  • Enable audit logging and regularly scan images for vulnerabilities

Example use cases

  • Lock down developer namespaces to the 'restricted' Pod Security Standard before production rollout
  • Create a NetworkPolicy that allows only frontend pods to talk to backend pods on service ports
  • Define a Role that only permits listing and getting pods and bind it to a service account
  • Add a Gatekeeper constraint template to require specific labels on critical resources
  • Enable Istio PeerAuthentication with STRICT mTLS to enforce encrypted service-to-service traffic

FAQ

How do I test whether RBAC rules permit an action?

Use kubectl auth can-i with the --as flag to simulate a service account or user, for example: kubectl auth can-i list pods --as system:serviceaccount:default:my-sa

What is the recommended starting point for NetworkPolicy?

Apply a default-deny policy for ingress and egress, then incrementally add allow rules that specify podSelectors, namespaceSelectors, and ports.